Not 'verifies'. Simply read the report and decide on the priority.

Filter out the reports saying "The padlock is missing on my gmail" from those that say "If you type TRUE into the gmail login password box, it will let you log in as any user, and 4chan has discovered it".

I think there's a difference between verifying a report and simply triaging it to the right team. Apple is doing the former while companies that respond in 15 mins are often doing the latter.

Thanks for the laugh! I can only Imagine the shenanigans that would come from such a bug

There was that time you could login as root to an Apple computer by pressing Enter (with no password). https://www.theguardian.com/technology/2017/nov/29/macos-hig...

I agree.

There are clearly 2 different levels of "evaluation" at play here.

Being able to "evaluate" every security bug submitted to you in 15 minutes implies relatively insignificant bugs, or it implies that you are not "evaluating" the bugs you claim you are "evaluating".

The first time a report came in on meltdown/spectre/heartbleed whatever, there is no way any serious security researcher could have fully evaluated that report in 15 minutes. Never having seen or heard tell of it previously. Heck, just pulling together the requisite hardware and getting the requisite software on it might take more than 15 minutes. I don't buy that it could be "evaluated" in 15 minutes.

how do you feel about the word "triaged"? There's some reports that are obviously going to be worth an immediate response and some that aren't. And some will slip through the cracks, in either direction, because the queue is being watched by a human and not a robot. If the report contains a screenshot of your private admin panel, it's getting escalated.

Anyone serious got advanced notice of meltdown/spectre/heartbleed and had longer than 15 minutes to decide a course of action. Whether that's a good or bad thing about infosec as an industry, I can't decide.

I have had replies on bug bounty reports in under 10 before. It can and does happen.

Edit: To clarify, especially in cloud environments (which is most stuff these days) it's really not hard for someone to verify something if it's well written.

I might be a bit pessimistic here, but I'm betting that's not an experienced, trained individual that's responding to the ticket. It's like a level one techie who's basically just moving the ticket from one queue to another and potentially waking someone up if it looks scary enough.

That's not really the same thing.

I'm talking actual confirmation of the issue and acceptance of scoring from someone clearly technical.

It's certainly possible. I've handled a bunch of bug bounty programs and sometimes submissions come in at just the right time and attract just the right attention. It's not a reasonable expectation for the average submission.

It depends on your targets, IME. Huge companies? Yep, you'll get a "thanks for telling us" from a bigger bug bounty program and then not hear anything for weeks to months.

For small- and mid-sized companies that do bug bounties (of which there seem to be fewer and fewer these days as a percentage) you can definitely wind up submitting directly to the right people and get really quick response times.